The good, the bad and the ugly (or Python, Security FW and Harmattan)

In harmattan, if you want to access certain resources (E.G. Tracker) you need to ask for permission to the Security FW. It is not as bad as it sounds. You just need to add a file in your package explaining what “tokens” do you need. Then depending on where your package comes from and some other ingredients, the security FW decides if your application is worthy of such a privilege.

Today I was packaging a very first version of Mussorgsky in QML which requires the “TrackerReadAccess” token (to query Tracker via dbus). So far I have been working in the command line tool where a aegis-su -r TrackerReadAccess python mussorgsky.py was enough. But how to do the same when the application is installed?

Create a $PACKAGE_NAME.aegis file under your debian/ directory. There you need to declare what tokens you want for what binary. Example: in mussorgsky.aegis I request “TrackerReadAccess” for “/usr/lib/mussorgsky/mussorgsky-qml.py”, which is the executable that starts my program.

Put the aegis file in the package. Using CDBS is almost the same as in C++, without the include of autotools.mk:
# Add this to the debian/rules file
PACKAGE_TARGETS := $(foreach pkg,$(DEB_ALL_PACKAGES),binary/$(pkg))
$(PACKAGE_TARGETS)::
[ ! -f debian/$(notdir $@).aegis ] || aegis-deb-add -control \
debian/$(notdir $@)/DEBIAN/control .. debian/$(notdir $@).aegis=_aegis

Then you build your package. It should install nicely and your application run without problems on the device. Still, a couple of remarks:

The token must go to a executable script (with #!/usr/bin/python on its first line). python myscript.py will not work. The path is absolute.

After installing the package, do NOT modify the installed files if they request a token. Security FW will discover an unexpected change in the file and lock the device (ops! reflash). Imported files and other resources can be modified.

@Luciano I used a project created with pyside-assistant as inspiration to update my old-fashioned debian/ directory. Great stuff for starting a new project (we pythoners are outcasts from the QtCreator world ;))

Yep, modifying a file under the security FW umbrella locks the device on a screen “suggesting” a reflash.

It is a nasty surprise first time it happens, but in practical terms is not so annoying: most of the time I run my application directly from the source code in $HOME with aegis-su, so I can modify/try without rebuilding the package.

This “integrity check” only affects programs or libraries that request a token to the security FW. Configuration files follow the usual user/group protection in linux. Nothing changes for that.

If the python app doesn’t request any special permission from security FW, you can tweak it as before. If the script makes something sensitive (that requires security supervision), then seems reasonable to prevent uncontrolled changes on it.

Can you use Harmattan Security Framework together with a Python application in a way to store/retrieve API keys on the device in a secure manner? The idea would be that only the application could view and use the API key, and it would not be visible to user/root. If changes to the python scripts does cause a device lockup, then users could not intercept the key. Any thoughts on how to implement such a transaction? Thank you.